← Back to Skills Marketplace

Oracle 收盘报告

Name: Oracle 收盘报告
Author: icemanzb

by icemanZB · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install oracle-report

Description

生成包含大盘指数、情绪资金和全球市场数据的A股市场日报，支持节假日处理和飞书卡片格式发送。

Usage Guidance

Do not install or run this skill without addressing the hardcoded credentials and default recipient. Specifically: - The script contains hardcoded API keys (QVERIS_API_KEY, MX_APIKEY, TUSHARE_TOKEN, FINNHUB_API_KEY). Treat these as compromised: ask the author to remove them or reject the skill. Do not assume they are placeholders. - The script also hardcodes a default FEISHU_TARGET (a specific user id). That means reports (and any data collected) could be sent to an external account without your explicit configuration. - Before using: inspect the full script, remove or replace hardcoded keys with environment-variable reads (and ensure the skill actually honors them), and set FEISHU_TARGET to a value you control. Rotate any API keys that may have been shared in this repo. - Run the script in an isolated/test environment first (no sensitive credentials) and monitor outbound traffic. If you cannot verify the origin/owner or get corrected code, avoid installing or copying this skill to other robots.

Capability Analysis

Type: OpenClaw Skill Name: oracle-report Version: 1.0.0 The skill bundle is a functional market report generator but contains several high-risk security practices. Most notably, the script 'oracle_report_generator.py' contains multiple hardcoded API keys and tokens for financial services (QVeris, Tushare, Finnhub, and mx_data) as well as a hardcoded Feishu recipient ID. It also frequently uses 'subprocess.run(shell=True)' to execute shell commands and external scripts, which is a significant security risk for shell injection. While the code appears to perform its stated task, the inclusion of hardcoded credentials and the use of unsafe execution methods are characteristic of poorly secured or potentially tracking-enabled software.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description (A股日報 + Feishu card sending) matches the code and declared dependencies (mx_data, qveris). Requiring those skills is coherent. However, the code embeds API keys and other service credentials directly in the script instead of using the declared environment variables, which is inconsistent with the stated design.

⚠ Instruction Scope

SKILL.md instructs running the included Python script and optionally configuring FEISHU_TARGET via an env file. The script performs network calls to many external data providers (QVeris, mx_data, Tushare, Finnhub, FRED, AKShare, Sina, etc.) and will send output to a Feishu target. The script defaults to a hardcoded FEISHU_TARGET value and hardcoded API keys, meaning it can transmit collected market data (and any data accessible to the script) to a preconfigured external recipient even if the operator didn't set env vars — this is scope creep from a user's expected 'run and get a report' flow.

✓ Install Mechanism

No install spec is provided (instruction-only plus a script); nothing is downloaded at install time. That keeps install risk low. The script expects other local skills to be present and uses local paths under ~/.openclaw, which is expected for this environment.

⚠ Credentials

_meta.json and SKILL.md declare QVERIS_API_KEY and MX_APIKEY (and optional TUSHARE_TOKEN, FEISHU_TARGET) as env-based configuration, but the Python script contains hardcoded values for QVERIS_API_KEY, MX_APIKEY, TUSHARE_TOKEN, FINNHUB_API_KEY and a default FEISHU_TARGET user id. This mismatch is disproportionate and dangerous: it embeds secrets in code, ignores operator-provided credentials, and could leak data or allow unexpected API usage billed to those keys. The presence of multiple keys in code without explanation increases risk.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide privileges. It reads/writes under the user's ~/.openclaw workspace and caches a trade calendar there. Copying the skill to other robots is documented but is a user action; no automatic escalation or modification of other skills' configs is present in the inspected files.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install oracle-report
After installation, invoke the skill by name or use /oracle-report
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

首次发布：A股收盘日报生成器

Metadata

Slug oracle-report

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Oracle 收盘报告?

生成包含大盘指数、情绪资金和全球市场数据的A股市场日报，支持节假日处理和飞书卡片格式发送。 It is an AI Agent Skill for Claude Code / OpenClaw, with 78 downloads so far.

How do I install Oracle 收盘报告?

Run "/install oracle-report" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Oracle 收盘报告 free?

Yes, Oracle 收盘报告 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Oracle 收盘报告 support?

Oracle 收盘报告 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Oracle 收盘报告?

It is built and maintained by icemanZB (@icemanzb); the current version is v1.0.0.

More Skills